A Look into Public Private Partnerships for Cybersecurity

April 18, 2017

“The United States must treat cybersecurity as one of the most important national security challenges it faces.” This was the central finding of a 2008 report from the Center for Strategic and International Studies Commission on Cybersecurity, prepared to inform the cybersecurity policy of the 44th presidency. [1] Almost a decade later, the integrity of public and private sector network infrastructure is even more crucial to national security.

Cyberattacks pose a unique type of threat, from compromising power grids to impacting financial institutions to leaking confidential information. Due to the novel nature of cyberthreats, former Deputy Secretary of Defense, William J. Lynn wrote in a 2008 statement on the Pentagon’s cybersecurity policy that standard models of deterrence will not apply to cyberspace. “Cyberwarfare is like maneuver warfare,” he wrote, “in that speed and agility matter most. To stay ahead of pursuers, the United States must constantly adjust and improve its defenses.” [2]

The past four administrations have emphasized the importance of cybersecurity in both the public and private sectors. Administrative and legislative efforts have emphasized the importance of partnerships between industry and government in defending critical infrastructure, promoting initiatives for cybersecurity education, and ensuring the integrity of network infrastructure. This article examines role of the private sector in national cybersecurity policy and analyzes the strengths and limitations of cybersecurity public-private partnerships.

Public-Private Partnerships

The public and private sectors can both benefit from working together on cybersecurity initiatives. The private sector controls much of the critical infrastructure that is vulnerable to cyberthreats. Thus, many companies that own such infrastructure already have cybersecurity programs, giving them specific expertise and experience in dealing with potential threats. The public sector has different strengths in that it is better positioned to investigate and prosecute cyber criminals. The source of a cyberattack is often difficult to identify, and government agencies often better positioned to collect foreign intelligence, collaborate with other international agencies, and gain access to critical information regarding potential threats. [3]

Cooperation between industry and governmental agencies on joint cybersecurity initiatives can leverage the unique yet complementary strengths of both sectors. For example, public-private partnerships are especially effective in mitigating financial cybercrime, for the joint cooperation of the two sectors address the interests of consumers, businesses, and the government alike. [4] According to the Intelligence and National Security Alliance, the mission of cybersecurity public-private partnerships (PPPs) is three-fold. First, these partnerships must identify and detect behaviors of concern. Second, PPPs must ensure that actors from both sectors comply with the standards of the partnership. Third, and arguably most importantly, PPPs must provide a mechanism for response after a cyberthreat; this entails conducting examinations of an attack and addressing any necessary shortcomings in the current defense system. [5] Furthermore, effective PPPs should also ensure that cybersecurity developments in the private sector and their policy implications are well understood by policy makers. [4]

Current Hesitations to Establish of Public-Private Partnerships

Even though PPPs are beneficial for both sectors, some private companies are reluctant to establish cybersecurity PPPs. One of the key hesitations in the private sector to form a public-private partnership concerns issues of trust, control, and disclosure. Regarding trust, companies often doubt whether they should involve the government after a cyberattack, for the government would necessarily have access to the company’s private data. Moreover, even in the case of a serious breach, companies might still be reluctant to directly involve the public sector if they fear that government involvement would only escalate the severity of the situation. Furthermore, once a private company involves a government agency in investigating a cyberattack, the company would lose autonomy over their investigation. Some companies are also hesitant to share information with the government. Since the government would not be able to provide all data regarding potential cyber crimes because some information may be classified or confidential, many companies feel that the information sharing would end up as a one-way relationship. [3] Moreover, some private companies may also worry that handing over sensitive information may damage their reputation or that the information will not be treated will full confidentiality. [6]

Regarding disclosures, the Securities and Exchange Commission (SEC) requires that significant cybersecurity risks and incidents should be disclosed to investors. Yet, it is unclear how to determine the significance of a given risk or event. Even though members of both the public and private sector have tried to delineate best practices for cybersecurity-related SEC disclosures, companies may still be reluctant to disclose information about a breach, fearing that it would damage their market value, reputation, or clients’ trust. [7] Studies have even found that announcing an internet security breach can hurt a company’s market value. In one study, breached companies lost an average of 2.1% of their market share within two days of disclosing the breach to the public. [8]

Another hesitation to engage in PPPs is the complex regulatory and legal landscape surrounding cybersecurity. In the event of a breach, companies may now need to go even further than standard SEC disclosure obligations. Private companies may even have to disclose potential risks or cyberattacks to state governments, the Department of Justice, or even plaintiffs who are affected by a cyberthreat, depending on the scope of the attack. Moreover, the majority of US states have adopted legislation that requires government agencies to disclose to citizens any breaches of personal information. Thus, in establishing a PPP, the public sector must find a balance between cooperation with the private sector and holding them accountable in the event of a breach. The public sector’s differing obligations make it challenging to partner with the private sector, and without any legislative efforts to clarify cybersecurity regulations, the private sector is faced with a fragmented collections of laws regarding notification, liability, and disclosure in the event of a cyberattack. [9]

PPP Models and Recommendations

Through analysis of current PPPs in areas outside of cybersecurity, there are some proposed models of an effective cybersecurity PPP that would help to mitigate its most apparent limitations. Since private companies identified a lack of trust as a key hesitation in working with the government as part of a PPP, an effective PPP must immediately establish a level of trust and transparency. For example, in order to foster a sense of trust, some PPP’s in the Netherlands have created a secure network of information that the government cannot directly access without the express consent of the companies involved. [10]

Moreover, one model has members of the public and private sectors working together on a joint cybersecurity panel to develop trust and promote cooperation and dialogue. This panel could also include representatives from the existing network of Information Sharing and Analysis Centers (ISACs) to create an organization that would reflect the interests of both the government and private companies. Public Utilities Commissions have successfully used such a leadership structure to form a partnership between the government and the local business community. [5]

Source: INSA

Furthermore, there are several proposed recommendations for developing effective cybersecurity PPPs. In a 2016 briefing, the World Economic Forum proposed five key recommendations for developing PPPs to specifically fight cybercrime. Among those recommendations were strategies for establishing more real-time information sharing systems, developing a uniform rule of law for cybercrime, and encouraging national law enforcement agencies to more actively engage in cybersecurity PPPs to improve coordination between the public and private sectors. Keeping in mind concerns about trust, the World Economic Forum also called both the public and private sector to engage in open discussions about their differing motivations and viewpoints regarding cybersecurity. [11] Furthermore, as the field of cybersecurity is ever changing, it is crucial that cybersecurity PPPs clearly define their goals and also address the often differing agendas of the government and private sector. [12]

Conclusion

Cooperation between the public and private sectors is an essential aspect of our national cybersecurity strategy. Cybersecurity PPPs must be based on a foundation of mutual trust, and open dialogue between private companies and the government can help to ameliorate some of the reluctance in the private sector. Moreover, by clarifying the regulatory framework surrounding cybersecurity, the government can better assuage private companies’ hesitations to reach out to the government in the event of an attack. By addressing these concerns, cybersecurity PPPs can work to develop strategies for risk management and information sharing, and both the private sector and the government will be better equipped to handle future cyberthreats.

PENN WHARTON PPIRESOURCE SPOTLIGHT:

<h3>National Center for Education Statistics</h3><p><strong><img width="400" height="80" alt="" src="/live/image/gid/4/width/400/height/80/479_nces.rev.1407787656.jpg" class="lw_image lw_image479 lw_align_right" data-max-w="400" data-max-h="80"/>The National Center for Education Statistics (NCES) is the primary federal entity for collecting and analyzing data related to education in the U.S. and other nations.</strong> NCES is located within the U.S. Department of Education and the Institute of Education Sciences. NCES has an extensive Statistical Standards Program that consults and advises on methodological and statistical aspects involved in the design, collection, and analysis of data collections in the Center. To learn more about the NCES, <a href="http://nces.ed.gov/about/" target="_blank">click here</a>.</p><p> ﻿Quick link to NCES Data Tools: <a href="http://nces.ed.gov/datatools/index.asp?DataToolSectionID=4" target="_blank">http://nces.ed.gov/datatools/index.asp?DataToolSectionID=4</a></p><p> Quick link to Quick Tables and Figures: <a href="http://nces.ed.gov/quicktables/" target="_blank">http://nces.ed.gov/quicktables/</a></p><p> Quick link to NCES Fast Facts (Note: The primary purpose of the Fast Facts website is to provide users with concise information on a range of educational issues, from early childhood to adult learning.): <a href="http://nces.ed.gov/fastfacts/" target="_blank">http://nces.ed.gov/fastfacts/#</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>

<h3>National Bureau of Economic Research (Public Use Data Archive)</h3><p><img width="180" height="43" alt="" src="/live/image/gid/4/width/180/height/43/478_nber.rev.1407530465.jpg" class="lw_image lw_image478 lw_align_right" data-max-w="329" data-max-h="79"/>Founded in 1920, the <strong>National Bureau of Economic Research</strong> is a private, nonprofit, nonpartisan research organization dedicated to promoting a greater understanding of how the economy works. The NBER is committed to undertaking and disseminating unbiased economic research among public policymakers, business professionals, and the academic community.</p><p> Quick Link to <strong>Public Use Data Archive</strong>: <a href="http://www.nber.org/data/" target="_blank">http://www.nber.org/data/</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>

<h3>Federal Reserve Economic Data (FRED®)</h3><p><strong><img width="180" height="79" alt="" src="/live/image/gid/4/width/180/height/79/481_fred-logo.rev.1407788243.jpg" class="lw_image lw_image481 lw_align_right" data-max-w="222" data-max-h="97"/>An online database consisting of more than 72,000 economic data time series from 54 national, international, public, and private sources.</strong> FRED®, created and maintained by Research Department at the Federal Reserve Bank of St. Louis, goes far beyond simply providing data: It combines data with a powerful mix of tools that help the user understand, interact with, display, and disseminate the data.</p><p> Quick link to data page: <a href="http://research.stlouisfed.org/fred2/tags/series" target="_blank">http://research.stlouisfed.org/fred2/tags/series</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>

<h3>The Penn World Table</h3><p> The Penn World Table provides purchasing power parity and national income accounts converted to international prices for 189 countries/territories for some or all of the years 1950-2010.</p><p><a href="https://pwt.sas.upenn.edu/php_site/pwt71/pwt71_form.php" target="_blank">Quick link.</a> </p><p>See all <a href="/data-resources/">data and resources</a> »</p>

<h3>Congressional Budget Office</h3><p><img width="180" height="180" alt="" src="/live/image/gid/4/width/180/height/180/380_cbo-logo.rev.1406822035.jpg" class="lw_image lw_image380 lw_align_right" data-max-w="180" data-max-h="180"/>Since its founding in 1974, the Congressional Budget Office (CBO) has produced independent analyses of budgetary and economic issues to support the Congressional budget process.</p><p> The agency is strictly nonpartisan and conducts objective, impartial analysis, which is evident in each of the dozens of reports and hundreds of cost estimates that its economists and policy analysts produce each year. CBO does not make policy recommendations, and each report and cost estimate discloses the agency’s assumptions and methodologies. <strong>CBO provides budgetary and economic information in a variety of ways and at various points in the legislative process.</strong> Products include baseline budget projections and economic forecasts, analysis of the President’s budget, cost estimates, analysis of federal mandates, working papers, and more.</p><p> Quick link to Products page: <a href="http://www.cbo.gov/about/our-products" target="_blank">http://www.cbo.gov/about/our-products</a></p><p> Quick link to Topics: <a href="http://www.cbo.gov/topics" target="_blank">http://www.cbo.gov/topics</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>

<h3>Internal Revenue Service: Tax Statistics</h3><p><img width="155" height="200" alt="" src="/live/image/gid/4/width/155/height/200/486_irs_logo.rev.1407789424.jpg" class="lw_image lw_image486 lw_align_left" srcset="/live/image/scale/2x/gid/4/width/155/height/200/486_irs_logo.rev.1407789424.jpg 2x" data-max-w="463" data-max-h="596"/>Find statistics on business tax, individual tax, charitable and exempt organizations, IRS operations and budget, and income (SOI), as well as statistics by form, products, publications, papers, and other IRS data.</p><p> Quick link to <strong>Tax Statistics, where you will find a wide range of tables, articles, and data</strong> that describe and measure elements of the U.S. tax system: <a href="http://www.irs.gov/uac/Tax-Stats-2" target="_blank">http://www.irs.gov/uac/Tax-Stats-2</a></p><p>See all <a href="/data-resources/">data and resources</a> »</p>